OWA Phish – a new vector (2)

Here are some technical details to expand on the previous post from Darya.

1. The Spam

According to our preliminary research, the spam emails which attacked OWA users, including Kaspersky, were sent using the pushdo botnet – which is based on malware from the Backdoor.Win32.NewRes family. These Trojans spread via spam, social networks (in conjunction with the Koobface family) and through hacked websites.

The spam emails link to a phishing webpage which is registered to 15 dynamic IP addresses located in separate IP sectors and which are constantly changing.

2. The Phish

An analysis of the phishing site proves that the criminals are using rock phishing techniques – typical rock phish structure and together with dynamic content which morphs to target users from the domain under attack.

3. The Trojan

This OWA phishing attack is spreading a variant of Trojan-Spy.Win32.Zbot – a Trojan which steals passwords fstored on the infected machines; specifically passwords to local applications, passwords to websites etc. The Trojan also has keyboard logger functionality. Finally, this Zbot can also download other malware if required. In this instance, the command and control center is located in the Ukraine.


This particular attack is using well-known methods overall. The notable features of the attack are the domain name spoofing and the creation of a phishing site which mimics OWA pages. The rest is as usual.

OWA Phish – a new vector (2)

Your email address will not be published. Required fields are marked *



How to catch a wild triangle

How Kaspersky researchers obtained all stages of the Operation Triangulation campaign targeting iPhones and iPads, including zero-day exploits, validators, TriangleDB implant and additional modules.

Subscribe to our weekly e-mails

The hottest research right in your inbox